Upload
continuity-and-resilience
View
37
Download
3
Embed Size (px)
Citation preview
Continuity and Resilience (CORE)ISO 22301 BCM Consulting FirmPresentations by speakers at the
4th India Business & IT Resilience Summit 7th October, 2016 | Hotel Hilton, Mumbai India
Our Contact Details:
INDIA UAE
Continuity and ResilienceLevel 15,Eros Corporate TowerNehru Place ,New Delhi-110019
Tel: +91 11 41055534/ +91 11 41613033Fax: ++91 11 41055535
Email: [email protected]
Continuity and ResilienceP. O. Box 127557
Abu Dhabi, United Arab EmiratesMobile:+971 50 8460530
Tel: +971 2 8152831 Fax: +971 2 8152888
Email: [email protected]
Prof. Venugopal IyengarVisiting Faculty, JBIMS (University of Mumbai)Director –International Organization for Trust Management (IOTM) Independent Director-Allied Digital Services Ltd, AAA Technologies PL
M.Sc; DIRM; DTT; DCS; DCM;Certified Information System Auditor [CISA - ISACA]Certified Information Security Manger [CISM – ISACA]Certified in Governance of Enterprise IT [CGEIT – ISACA]Certified in Risk in Information System and Control (CRISC-ISACA)COBIT5 Foundation, Implementation and Certified Assessor (ISACA)Certified Information System Security Professional [CISSP - (ISC)2]Attended Certified Business Continuity Advanced Course leading to CBLE2000 by DRI AsiaCertified Data Protection Specialist - DMICertified Auditor - Quality Management System (QMS) ISO 9001:2008Certified Auditor - Information Security Management System (ISMS) BS ISO27001:2013Certified Auditor – Business Continuity Management (BCMS) ISO 22301:2012Certified for Information Technology Service Management (ITSMS) ISO 20000-1:2011Criteria for ‘Certification of Inspection Lab’ ISO/IEC 17020Associate Member, Association of Certified Fraud Examiners (USA) [ACFE]Member of QAT, TEC, JPA and CSE for Education Board of ISACA, Illinois, USAMember, Govt. and Regulatory Authorities Board Task Force-ASIA ISACAMember of the Expert Committee for eSecurity Program, Dept. of IT, MC&IT, GoIPresident Emeritus, ISACA Mumbai Chapter (2005-06)Recipient of Microsoft MVP award in 2006 for contribution to global security communityRecipient of “Pillar of Hindustani Society” award in 2008 for contribution to IS Audit and InfoSec
Global Professional Community from TACCI & IMCCEx-Test Supervisor, (ISC)2 Asia Pacific, India OperationsLife Member - Computer Society of IndiaLife Member - Quality Forum-NetherlandsLife Member - Cine Technician Association of South IndiaLife Member - National LibraryInternational Member – ISACA, ISC2, CFE, IEEE, ISA (Internet Security Alliance), Associated with BCAS, BCC&I, BSI, CII, EU Council, IBA, ICAI, ICSI, IRQS, MAIT, NASSCOM, TLF, UL
Expectations in DRAAS from CSP
4th INDIA Business & IT Resilience Summit : October 7, 2016, Hilton - Mumbai
Prof. Venugopal IyengarDirector, IOTM
Can we eradicate downtime & data loss in cloud environment?Problem of Traditional DR
Most Businesses are ill-equipped to quickly respond to outagesRef: Infrascale
If the above statement is true then, Can we expect a newer approach to recovery?
1.When an Outage occurs2.Can we expect a technology to recover and virtualize3.Users continue to work as if nothing has happened
Reality: In Cloud environment, they continue to work for some time till they realize that there is some problem.
Problem gets linked to ISP, Local disc issue, etc and not the CSP
Failover In Action - SLAGOOD
Backup to disk or tape at onsite and store at off siteSoftware snapshotsInstant VM recovery and Quarterly DR Testing
BETTERFull backup, with multiple daily incremental backups to disk & TapeSoftware snapshotsInvocation of DR Site, Local/ Remote virtual standby for key systems
BESTMulti site replication, with global backup to disk and tapeHourly software snapshotFunctional mission critical systemsAutomated DR testing with reporting
Can we move DR to Cloud? Classic expectations:Enterprise
o Low RTO/RPOoData Consistencyo Fallback
One touch deployment & maintenanceAutomated testabilityEasy scalability
What does Endure Say?
Most CSP including Azure say similar.. Moving to the cloud can drastically reduce the amount of
effort and maintenance costs associated with IT infrastructures. But as an enterprise, how easy is it to get there? Find out why having a well-managed, on-premises deployment will save you headaches and resources in the future..
Weapon of Math Destruction is on the anvil…
Does that mean you get into Cloud without headache and worry about it in future?
About DR from virtualization & Cloud vendors•Some server virtualization vendors argue that high availability (HA) architecture trumps the need for DR planning…
•Echoed by vendors of software-defined storage and cloud-based infrastructure services…
•Even the value of data being called into question…
IT•Application Developers – Agile on cloud: Development system of engagement, interaction, prototyping
•Operations – focus on systems of record, resiliency and reliability of platform
Data is GROWING …… will continue growing !!!
How do we protect it all? 3-2-1 is the mantra
Replicating data is still the first step Make 3 copies
On at least 2 different media types Store 1 copy off site
But the modality for copy is varied Continuous Data Protection Block snapshots Volume Cloning Bare metal backup Synchronous Mirroring Asynchronous Replication
All DATA is not the same… Is Ap an important element Is version an important element Is time an important element
Besides these cross-referencing data to application to business process – Own or third party
All these are also in a way DATA for CSP Can’t leave stating not in SLA
New technology is a two-edged sword… • In a virtualized, software-defined, cloud-enabled world,
the application and infrastructure are data…
In short, you are still going to need DR / BC Planning… • Aligned to business processes, not hypervisor
workloads or HW/SW stacks…
• Built on a clear-headed assessment of risks/costs, relative criticality, and recovery requirements…
• Leveraging common sense and dogged testing and validation…
• And constructed in a business-savvy way: respectful of the sensibilities of senior management,
In short, you are still going to need DR / BC Planning… • Can we have Disaster Avoidance Strategy?
Look at the structure of a business continuity planning project • Beginning with Specification and Design • Then Implementation and Validation
Specification and Designwhich are ultimately the determinants of plan success
Do Customer understand their DR /BC requirements?Or it is suggested by the Vendor?
Just deploy our offering and all business continuity needs will be met
Only 5% of downtime may be due to big D… disaster
In short, you are still going to need DR / BC Planning… • Can we have Disaster Avoidance Strategy?
Look at the structure of a business continuity planning project • Beginning with Specification and Design • Then Implementation and Validation
Specification and Designwhich are ultimately the determinants of plan success
Do Customer understand their DR /BC requirements?Or it is suggested by the Vendor?
Just deploy our offering and all business continuity needs will be met
Only 5% of downtime may be due to big D… disaster
The methodology is called business process deconstruction… • The business process is the proper focus of
DR/BCP… – Not the application – Not a server or storage array – Not some data
• Business processes contain tasks and workflows that must be “deconstructed” and examined separately
• You many have thousands of business processes: ask management to point you toward those that they see as “mission critical” to establish a starting point…
Lead to bogus quantitative risk analysis .. Understand your Risk
Source: DMI
This is true for …• The Internet of Things• Mobile Commerce• The Hybrid Data Center• The Digital Democracy
• And Many
This is true for …
Cloud backup needs to be considered carefully…
Role of SOC and NOC
Input and Output Modules Technology Specific ModulesInference Engine ModulesMaster Correlation Engine Secure Transmission
Protocol Storage Technology ModulesFunctional Specific ModulesEVM Processor Core
Security Event Manager Core Architecture
N-Tier SIEM: 3rd Party SIEM Correlated Integration
Expectations in DRAAS from CSP
Synopsis: DRaaS providersArchitecture, RPO and RTO, Role SOC and NOC, Health Check indicators.
Can we measure extent of compliance to ISO 22301, ISO 31000, and ISO 27001.